How can we restrict access to methods with specific HTTP verbs in C# ASP.NETnWebAPI?

In ASP.NET Web API, HTTP verbs define the actions that can be performed on resources. The primary HTTP verbs are GET, POST, PUT, PATCH, and DELETE, which correspond to read, create, update, and delete operations respectively. You can restrict access to specific action methods using HTTP verb attributes or by following naming conventions.

ASP.NET Web API provides two main approaches to restrict method access: naming conventions and HTTP verb attributes. This ensures that your API endpoints respond only to intended HTTP methods, improving security and API design.

HTTP Verbs and CRUD Operations

Using Naming Conventions

Action methods can be named using HTTP verbs as prefixes. Web API automatically maps HTTP requests to methods based on their names −

using System.Web.Http;

public class Student {
    public int Id { get; set; }
    public string Name { get; set; }
}

public class StudentsController : ApiController {
    public IHttpActionResult GetAllStudents() {
        // Handles GET requests
        var students = new[] { 
            new Student { Id = 1, Name = "Alice" },
            new Student { Id = 2, Name = "Bob" }
        };
        return Ok(students);
    }
    
    public IHttpActionResult Post([FromBody]Student student) {
        // Handles POST requests
        // Insert student logic here
        return Ok("Student created successfully");
    }
    
    public IHttpActionResult Put([FromBody]Student student) {
        // Handles PUT requests
        // Update student logic here
        return Ok("Student updated successfully");
    }
    
    public IHttpActionResult Delete(int id) {
        // Handles DELETE requests
        // Delete student logic here
        return Ok("Student deleted successfully");
    }
}

Using HTTP Verb Attributes

HTTP verb attributes provide explicit control over which HTTP methods can access specific action methods. This approach offers more flexibility and clarity −

using System.Collections.Generic;
using System.Web.Http;

public class StudentsController : ApiController {
    
    [HttpGet]
    public IHttpActionResult FetchStudentsList() {
        List<Student> students = new List<Student> {
            new Student { Id = 1, Name = "Mark" },
            new Student { Id = 2, Name = "John" },
            new Student { Id = 3, Name = "Sarah" }
        };
        return Ok(students);
    }
    
    [HttpPost]
    public IHttpActionResult CreateStudent([FromBody]Student student) {
        // Create logic here
        return Ok("Student created with ID: " + student.Id);
    }
    
    [HttpPut]
    public IHttpActionResult UpdateStudent([FromBody]Student student) {
        // Update logic here
        return Ok("Student updated: " + student.Name);
    }
    
    [HttpDelete]
    public IHttpActionResult RemoveStudent(int id) {
        // Delete logic here
        return Ok("Student with ID " + id + " deleted");
    }
}

Method Access Restriction in Action

When you try to access a method with an incorrect HTTP verb, Web API returns a 405 Method Not Allowed status code. For example, if FetchStudentsList() is decorated with [HttpGet] and you send a POST request, the server will reject it.

using System.Web.Http;

public class TestController : ApiController {
    
    [HttpGet]
    public IHttpActionResult GetData() {
        return Ok("This method only accepts GET requests");
    }
    
    [HttpPost]
    public IHttpActionResult PostData([FromBody]string data) {
        return Ok("This method only accepts POST requests with data: " + data);
    }
}

Testing with wrong HTTP method will result in −

HTTP/1.1 405 Method Not Allowed
Content-Type: application/json

{
  "Message": "The requested resource does not support http method 'POST'."
}

Multiple HTTP Verbs

You can allow multiple HTTP verbs for a single action method using multiple attributes −

using System.Web.Http;

public class FlexibleController : ApiController {
    
    [HttpGet]
    [HttpPost]
    public IHttpActionResult HandleBothMethods() {
        string method = Request.Method.Method;
        return Ok("This method accepts both GET and POST. Current method: " + method);
    }
}

Conclusion

Restricting access to ASP.NET Web API methods using HTTP verb attributes or naming conventions ensures proper API design and security. Use [HttpGet], [HttpPost], [HttpPut], and [HttpDelete] attributes for explicit control, or follow naming conventions like GetStudents(), PostStudent() for automatic mapping.